While other MediaPost newsletters and articles remain free to all ... our new Research Intelligencer service is reserved for paid subscribers ...

Subscribe today to gain access to the every Research Intelligencer article we publish as well as the exclusive daily newsletter, full access to The MediaPost Cases, first-look research and daily insights from Joe Mandese, Editor in Chief.

Facebook knew in 2015 that President
Trump's consultancy, Cambridge Analytica, harvested personal data of millions of users, but nonetheless received a positive privacy report from auditing firm Pricewaterhouse Coopers.

"In our
opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated
throughout the Reporting Period, in all material respects for the two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in Management's Assertion," the report
states.

Pricewaterhouse Coopers' audit was the result of a consent decree between the Federal Trade Commission and Facebook. In 2011, Facebook agreed to a host of terms, including biennial
privacy audits, to settle an investigation into allegations that it had shared users' information without their permission.

advertisement

advertisement

A version of the audit was quietly posted online several months ago, but didn't draw attention until Thursday afternoon, when the
advocacy group Electronic Privacy Information Center became aware of it.

The report contains many passages that are marked "highly confidential," and have been made unreadable. Marc Rotenberg,
EPIC's president and executive director, says he is still pushing for a more complete version of the report.

Last month, it came to light that Cambridge Analytica obtained information about up
to 87 million Facebook users from researcher Aleksandr Kogan, who gleaned the data in 2014 through the personalty-quiz app "thisisyourdigitallife." Only 270,000 Facebook users downloaded Kogan's app,
but he was able to gather data about many of those users' contacts.

In 2014, when Kogan's app began gathering data, Facebook allowed developers to glean data about downloaders' friends,
subject to their privacy settings. A Facebook spokesperson said Tuesday that the company "respected the privacy settings that people had in place."

Facebook learned in 2015 that Cambridge
Analytica had obtained the data from Kogan, and asked the consultancy to destroy it. The social networking service says it believed at the time that Cambridge Analytica did so. But Facebook didn't
inform users about the data transfers until several weeks ago. The company also didn't ban Cambridge Analytica from its platform until last month.

Many privacy advocates have criticized
Facebook over its handling of the situation, and the FTC is currently investigating whether the company violated the consent decree.

EPIC's Rotenberg notes that his organization has long
raised concerns about Facebook's privacy practices with the FTC. Several years ago, for example, EPIC asked the FTC to stop Facebook from merging data about its users with
WhatsApp. The FTC didn't act on that complaint, but officials in Europe fined Facebook $122 million for misleading officials about the
company's ability to automatically combine data about its users with those of the messaging service WhatsApp. EPIC also filed the FTC complaint that resulted in the 2011 consent decree.

Rotenberg calls the conclusions in the Pricewaterhouse Coopers report "extraordinary," adding that the report marks an "absolute failure" of the oversight mechanisms.

He also faults the FTC
for failing to take action against Facebook before the news about Cambridge Analytica came out.

"There were any number of claims that could have been pursued by the FTC prior to Cambridge
Analytica," Rotenberg tells MediaPost. "With Pricewaterhouse Coopers saying everything looks fine, something is clearly off the rails."

Last week, Zuckerberg addressed the FTC consent decree
during a House hearing. He said that the audits required by the agency "have not found material issues with our privacy programs in place at the company."

He added that while he doesn't
believe there was a violation of the consent decree, there was "clearly a breach of people's trust."

"The standard that we hold ourselves to is not just following the laws that are in place,"
Zuckerberg said. "But we also -- we just want to take a broader view of this in protecting people's information."